Add callback: Raised after the access token has expired.
-Add callback: Raised prior to the access token expiring.
-Add callback: Raised prior to the access token expiring.
-Remove callback: Raised after the access token has expired.
-Remove callback: Raised prior to the access token expiring.
-Generated using TypeDoc
Generated using TypeDoc
Error class thrown in case of an authentication error.
-See https://openid.net/specs/openid-connect-core-1_0.html#AuthError
-Error class thrown in case of an authentication error.
+Optional error?: null | stringOptional error_Optional error_Optional session_Optional url_Optional userOptional form: URLSearchParamsThe x-www-form-urlencoded request body sent to the authority server
-Readonly errorAn error code string that can be used to classify the types of errors that occur and to respond to errors.
-Readonly error_additional information that can help a developer identify the cause of the error.
-Readonly error_URI identifying a human-readable web page with information about the error, used to provide the client +
Optional error?: null | stringOptional error_Optional error_Optional session_Optional url_Optional userOptional form: URLSearchParamsThe x-www-form-urlencoded request body sent to the authority server
+Readonly errorAn error code string that can be used to classify the types of errors that occur and to respond to errors.
+Readonly error_additional information that can help a developer identify the cause of the error.
+Readonly error_URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
-Optional Readonly formThe x-www-form-urlencoded request body sent to the authority server
-Readonly nameMarker to detect class: "ErrorResponse"
-Readonly session_Optional stackOptional statecustom state data set during the initial signin request
-Optional url_Static Optional prepareOptional override for formatting stack traces
-Static stackStatic captureGenerated using TypeDoc
Optional Readonly formThe x-www-form-urlencoded request body sent to the authority server
+Readonly nameMarker to detect class: "ErrorResponse"
+Readonly session_Optional stackOptional statecustom state data set during the initial signin request
+Optional url_Static Optional prepareOptional override for formatting stack traces
+Static stackStatic captureGenerated using TypeDoc
Error class thrown in case of network timeouts (e.g IFrame time out).
-Error class thrown in case of network timeouts (e.g IFrame time out).
+Optional message: stringReadonly nameMarker to detect class: "ErrorTimeout"
-Optional stackStatic Optional prepareOptional override for formatting stack traces
-Static stackStatic captureGenerated using TypeDoc
Optional message: stringReadonly nameMarker to detect class: "ErrorTimeout"
+Optional stackStatic Optional prepareOptional override for formatting stack traces
+Static stackStatic captureGenerated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Internal logger instance
-Generated using TypeDoc
Static createStatic debugStatic errorStatic infoStatic warnGenerated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Provides the raw OIDC/OAuth2 protocol support for the authorization endpoint and the end session endpoint in the +
Provides the raw OIDC/OAuth2 protocol support for the authorization endpoint and the end session endpoint in the authorization server. It provides a bare-bones protocol implementation and is used by the UserManager class. Only use this class if you simply want protocol support without the additional management features of the UserManager class.
-Readonly metadataReadonly settingsGenerated using TypeDoc
Readonly metadataReadonly settingsGenerated using TypeDoc
The settings with defaults applied of the OidcClient.
-The settings with defaults applied of the OidcClient.
+Readonly acr_Readonly authorityReadonly client_Readonly client_Readonly client_Readonly clockReadonly disablePKCEReadonly displayReadonly extraReadonly extraReadonly extraReadonly fetchReadonly filterReadonly loadReadonly max_Readonly mergeReadonly metadataReadonly metadataReadonly metadataReadonly post_Readonly promptReadonly redirect_Readonly refreshReadonly resourceReadonly response_Readonly response_Optional Readonly revokeReadonly scopeReadonly signingReadonly staleReadonly stateReadonly ui_Readonly userGenerated using TypeDoc
Readonly acr_Readonly authorityReadonly client_Readonly client_Readonly client_Readonly disablePKCEReadonly displayReadonly extraReadonly extraReadonly extraReadonly fetchReadonly filterReadonly loadReadonly max_Readonly mergeReadonly metadataReadonly metadataReadonly metadataReadonly post_Readonly promptReadonly redirect_Readonly refreshReadonly resourceReadonly response_Readonly response_Optional Readonly revokeReadonly scopeReadonly signingReadonly staleReadonly stateReadonly ui_Generated using TypeDoc
Fake state store implementation necessary for validating refresh token requests.
-Fake state store implementation necessary for validating refresh token requests.
+Optional id_Optional scope?: stringOptional state?: unknownOptional resource: string | string[]Optional Readonly datacustom "state", which can be used by a caller to have "data" round tripped
-Optional Readonly id_Readonly profileReadonly refresh_Optional Readonly resourceOptional Readonly scopeReadonly session_Generated using TypeDoc
Optional id_Optional scope?: stringOptional state?: unknownOptional resource: string | string[]Optional Readonly datacustom "state", which can be used by a caller to have "data" round tripped
+Optional Readonly id_Readonly profileReadonly refresh_Optional Readonly resourceOptional Readonly scopeReadonly session_Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Readonly stateReadonly urlGenerated using TypeDoc
Readonly stateReadonly urlStatic createGenerated using TypeDoc
Readonly codeReadonly errorReadonly error_Readonly error_Optional expires_Optional id_Optional refresh_Optional scopeReadonly stateOptional url_custom state data set during the initial signin request
-Generated using TypeDoc
Readonly codeReadonly errorReadonly error_Readonly error_Optional expires_Optional id_Optional refresh_Optional scopeReadonly stateOptional url_custom state data set during the initial signin request
+Generated using TypeDoc
Optional client_Optional code_Optional created?: numberOptional data?: unknownOptional extraOptional id?: stringOptional request_Optional response_Optional skipOptional url_Readonly authorityReadonly client_Readonly client_Readonly code_Used to secure authorization code grants via Proof Key for Code Exchange (PKCE).
-Readonly code_The same code_verifier that was used to obtain the authorization_code via PKCE.
-Readonly createdOptional Readonly datacustom "state", which can be used by a caller to have "data" round tripped
-Readonly extraReadonly idReadonly redirect_Readonly request_Readonly response_Readonly scopeReadonly skipReadonly url_Static clearStatic fromGenerated using TypeDoc
Readonly authorityReadonly client_Readonly client_Readonly code_Used to secure authorization code grants via Proof Key for Code Exchange (PKCE).
+Readonly code_The same code_verifier that was used to obtain the authorization_code via PKCE.
+Readonly createdOptional Readonly datacustom "state", which can be used by a caller to have "data" round tripped
+Readonly extraReadonly idReadonly redirect_Readonly request_Readonly response_Readonly scopeReadonly skipReadonly url_Static clearStatic createStatic fromGenerated using TypeDoc
Optional Readonly stateReadonly urlGenerated using TypeDoc
Optional Readonly stateReadonly urlGenerated using TypeDoc
Readonly statecustom state data set during the initial signin request
-Generated using TypeDoc
Readonly statecustom state data set during the initial signin request
+Generated using TypeDoc
Optional created?: numberOptional data?: unknownOptional id?: stringOptional request_Optional url_Readonly createdOptional Readonly datacustom "state", which can be used by a caller to have "data" round tripped
-Readonly idReadonly request_Readonly url_Static clearStatic fromGenerated using TypeDoc
Readonly createdOptional Readonly datacustom "state", which can be used by a caller to have "data" round tripped
+Readonly idReadonly request_Readonly url_Static clearStatic fromGenerated using TypeDoc
Optional expires_Optional id_Optional refresh_Optional scope?: stringOptional session_Optional url_Optional userThe requested access token returned from the OIDC provider. The application can use this token to +
Optional expires_Optional id_Optional refresh_Optional scope?: stringOptional session_Optional url_Optional userThe requested access token returned from the OIDC provider. The application can use this token to authenticate itself to the secured resource.
-Optional expires_The expires at returned from the OIDC provider.
-Optional id_A JSON Web Token (JWT). Only provided if openid scope was requested.
+
Optional expires_The expires at returned from the OIDC provider.
+Optional id_A JSON Web Token (JWT). Only provided if openid scope was requested.
The application can access the data decoded by using the profile property.
The claims represented by a combination of the id_token and the user info endpoint.
Optional refresh_An OAuth 2.0 refresh token. The app can use this token to acquire additional access tokens after the +
The claims represented by a combination of the id_token and the user info endpoint.
Optional refresh_An OAuth 2.0 refresh token. The app can use this token to acquire additional access tokens after the current access token expires. Refresh tokens are long-lived and can be used to maintain access to resources for extended periods of time.
-Optional scopeThe scopes that the requested access token is valid for.
-The session state value returned from the OIDC provider.
-Readonly statecustom state data set during the initial signin request
-Typically "Bearer"
-Optional Readonly url_Computed value indicating if the access token is expired.
-Computed number of seconds the access token has remaining.
-Array representing the parsed values from the scope.
Static fromGenerated using TypeDoc
Optional scopeThe scopes that the requested access token is valid for.
+The session state value returned from the OIDC provider.
+Readonly statecustom state data set during the initial signin request
+Typically "Bearer"
+Optional Readonly url_Computed value indicating if the access token is expired.
+Computed number of seconds the access token has remaining.
+Array representing the parsed values from the scope.
Static fromGenerated using TypeDoc
Provides a higher level API for signing a user in, signing out, managing the user's claims returned from the OIDC provider, -and managing an access token returned from the OIDC/OAuth2 provider.
-Provides a higher level API for signing a user in, signing out, managing the user's claims returned from the identity provider, +and managing an access token returned from the identity provider (OAuth2/OIDC).
+Optional redirectNavigator: INavigatorOptional popupNavigator: INavigatorOptional iframeNavigator: INavigatorReadonly settingsReturns the settings used to configure the UserManager.
Returns an object used to register for events raised by the UserManager.
Returns an object used to access the metadata configuration of the OIDC provider.
-Returns promise to query OP for user's current signin status. Returns object with session_state and subject identifier.
-Returns promise to trigger a request (via a popup window) to the authorization endpoint. The result of the promise is the authenticated User.
Returns promise to trigger a redirect of the current window to the authorization endpoint.
-Returns promise to process the signin with user/password. The result of the promise is the authenticated User.
Throws an ErrorResponse in case of wrong authentication.
-Returns promise to trigger a silent request (via an iframe) to the authorization endpoint.
-The result of the promise is the authenticated User.
Returns promise to trigger a redirect of a popup window window to the end session endpoint.
-Returns promise to trigger a redirect of the current window to the end session endpoint.
-Returns promise to process response from the end session endpoint.
-Returns promise to trigger a silent request (via an iframe) to the end session endpoint.
-Generated using TypeDoc
Optional redirectNavigator: INavigatorOptional popupNavigator: INavigatorOptional iframeNavigator: INavigatorReadonly settingsGet the settings used to configure the UserManager.
Get object used to register for events raised by the UserManager.
Get object used to access the metadata configuration of the identity provider.
+Query OP for user's current signin status.
+A promise object with session_state and subject identifier.
+Process any response (callback) from the authorization endpoint, by dispatching the request_type +and executing one of the following functions:
+ +Error If request_type is unknown or signout can not processed.
Trigger a request (via a popup window) to the authorization endpoint.
+A promise containing the authenticated User.
Error In cases of wrong authentication.
Notify the opening window of response (callback) from the authorization endpoint. +It is recommend to use UserManager.signinCallback instead.
+A promise
+Trigger a redirect of the current window to the authorization endpoint.
+A promise
+Error In cases of wrong authentication.
Process the response (callback) from the authorization endpoint. +It is recommend to use UserManager.signinCallback instead.
+A promise containing the authenticated User.
Trigger the signin with user/password.
+A promise containing the authenticated User.
ErrorResponse In cases of wrong authentication.
+Trigger a silent request (via refresh token or an iframe) to the authorization endpoint.
+A promise that contains the authenticated User.
Notify the parent window of response (callback) from the authorization endpoint. +It is recommend to use UserManager.signinCallback instead.
+A promise
+Process any response (callback) from the end session endpoint, by dispatching the request_type +and executing one of the following functions:
+ +Error If request_type is unknown or signout can not processed.
Trigger a redirect of a popup window window to the end session endpoint.
+A promise
+Process response (callback) from the end session endpoint from a popup window. +It is recommend to use UserManager.signoutCallback instead.
+A promise
+Trigger a redirect of the current window to the end session endpoint.
+A promise
+Process response (callback) from the end session endpoint. +It is recommend to use UserManager.signoutCallback instead.
+A promise containing signout response
+Trigger a silent request (via an iframe) to the end session endpoint.
+A promise
+Notify the parent window of response (callback) from the end session endpoint. +It is recommend to use UserManager.signoutCallback instead.
+A promise
+Generated using TypeDoc
Add callback: Raised after the access token has expired.
-Add callback: Raised after the access token has expired.
-Add callback: Raised prior to the access token expiring.
-Add callback: Raised prior to the access token expiring.
-Add callback: Raised when the automatic silent renew has failed.
-Add callback: Raised when the automatic silent renew has failed.
-Add callback: Raised when a user session has been established (or re-established).
-Add callback: Raised when a user session has been established (or re-established).
-Add callback: Raised when the user session changed (when monitorSession is set).
Add callback: Raised when the user session changed (when monitorSession is set).
Add callback: Raised when the user is signed in (when monitorSession is set).
Add callback: Raised when the user is signed in (when monitorSession is set).
Add callback: Raised when the user's sign-in status at the OP has changed (when monitorSession is set).
Add callback: Raised when the user's sign-in status at the OP has changed (when monitorSession is set).
Add callback: Raised when a user session has been terminated.
-Add callback: Raised when a user session has been terminated.
-Remove callback: Raised after the access token has expired.
-Remove callback: Raised prior to the access token expiring.
-Remove callback: Raised when the automatic silent renew has failed.
-Remove callback: Raised when a user session has been established (or re-established).
-Remove callback: Raised when the user session changed (when monitorSession is set).
Remove callback: Raised when the user is signed in (when monitorSession is set).
Remove callback: Raised when the user's sign-in status at the OP has changed (when monitorSession is set).
Remove callback: Raised when a user session has been terminated.
-Generated using TypeDoc
Generated using TypeDoc
The settings with defaults applied of the UserManager.
-The settings with defaults applied of the UserManager.
+Readonly accessReadonly acr_Readonly authorityReadonly automaticReadonly checkReadonly client_Readonly client_Readonly client_Readonly clockReadonly disablePKCEReadonly displayReadonly extraReadonly extraReadonly extraReadonly fetchReadonly filterReadonly iframeReadonly iframeReadonly includeReadonly includeReadonly loadReadonly max_Readonly mergeReadonly metadataReadonly metadataReadonly metadataReadonly monitorReadonly monitorReadonly popupReadonly popupReadonly popup_Readonly popup_Readonly post_Readonly promptReadonly query_Readonly redirectReadonly redirectReadonly redirect_Readonly refreshReadonly resourceReadonly response_Readonly response_Optional Readonly revokeReadonly revokeReadonly revokeReadonly scopeReadonly signingReadonly silentReadonly silent_Readonly staleReadonly stateReadonly stopReadonly ui_Readonly userReadonly userReadonly validateGenerated using TypeDoc
Readonly accessReadonly acr_Readonly authorityReadonly automaticReadonly checkReadonly client_Readonly client_Readonly client_Readonly disablePKCEReadonly displayReadonly extraReadonly extraReadonly extraReadonly fetchReadonly filterReadonly iframeReadonly iframeReadonly includeReadonly includeReadonly loadReadonly max_Readonly mergeReadonly metadataReadonly metadataReadonly metadataReadonly monitorReadonly monitorReadonly popupReadonly popupReadonly popup_Readonly popup_Readonly post_Readonly promptReadonly query_Readonly redirectReadonly redirectReadonly redirect_Readonly refreshReadonly resourceReadonly response_Readonly response_Optional Readonly revokeReadonly revokeReadonly revokeReadonly scopeReadonly signingReadonly silentReadonly silent_Readonly staleReadonly stateReadonly stopReadonly ui_Readonly userReadonly validateGenerated using TypeDoc
Optional prefix?: stringOptional store?: Storage | AsyncStorageGenerated using TypeDoc
Optional prefix?: stringOptional store?: Storage | AsyncStorageGenerated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
oidc-client-ts is a TypeScript library intended to be used by web applications and run in browsers. It provides protocol support for OIDC and OAuth2, as well as management functions for user sessions and access tokens management.
+oidc-client-ts is a TypeScript library intended to be used by web applications and run in browsers. It provides protocol support for OIDC and OAuth2, as well as management functions for user sessions and access tokens management.
If you are unfamiliar with OpenID Connect, then you should learn the protocol first. This library is designed as a spec-compliant protocol library.
@@ -26,13 +12,21 @@The remainder of this document will primarily focus on the UserManager.
-The UserManager constructor requires a settings +
To understand how to use this library see here:
+The UserManager constructor requires a settings object as a parameter:
The authority URL setting is +
The authority URL setting is
used to make HTTP requests to discover more information about the OIDC/OAuth2
provider and populate a metadata property on the settings. If the server does
not allow CORS on the metadata endpoint, then these additional settings can be
@@ -58,7 +52,7 @@
The UserManager will raise various events about the +
The UserManager will raise various events about the user's session:
const mgr = new UserManager();
mgr.events.addAccessTokenExpiring(function() {
console.log("token expiring...");
});
The User type is returned from the UserManager's getUser API.
-The oidc-client-ts library supports logging. You can set a logger by assigning Oidc.Log.logger to anything that supports a info, warn, and error methods that accept a params array. By default, no logger is configured.
The User type is returned from the UserManager's getUser API.
+The oidc-client-ts library supports logging. You can set a logger by assigning Oidc.Log.logger to anything that supports a info, warn, and error methods that accept a params array. By default, no logger is configured.
The console object in the browser supports these, so a common way to easily
enable logging in the browser is to simply add this code:
Oidc.Log.setLogger(console);
@@ -78,90 +72,25 @@ oidc-client-ts
Also, logging has levels so you can control the verbosity by calling
Oidc.Log.setLevel() with one of Oidc.Log.NONE, Oidc.Log.ERROR,
Oidc.Log.WARN, or Oidc.Log.INFO. The default is Oidc.Log.INFO.
Additional provider specific settings may be needed for a flawless operation:
+Additional provider specific settings may be needed for a flawless operation:
Amazon Cognito
const mgr = new UserManager({
// ...
// no revoke of "access token" (https://github.com/authts/oidc-client-ts/issues/262)
revokeTokenTypes: ["refresh_token"],
// no silent renew via "prompt=none" (https://github.com/authts/oidc-client-ts/issues/366)
automaticSilentRenew: false,
});
In case you would like to add additional data into the User object, you can do so during the initial sign-in request.
+In case you would like to add additional data into the User object, you can do so during the initial sign-in request.
const mgr = new UserManager();
const customState = { foo: "bar" };
mgr.signinRedirect({ state: customState });
After successful sign-in the custom state is part of the User object as state. In case of failure it is inside ErrorResponse.
This custom state should not be confused with the URL state parameter. The latter is internally used to match against the authentication state object to finish the authentication process.
-If you would like to encode a custom state string in the sign in request url, you can do so with the url_state parameter. You may want to do this in order to pass user state to the authentication server and/or a proxy and return that state as part of the response.
If you would like to encode a custom state string in the sign in request url, you can do so with the url_state parameter. You may want to do this in order to pass user state to the authentication server and/or a proxy and return that state as part of the response.
const mgr = new UserManager();
mgr.signinRedirect({ url_state: 'custom url state' })
The url_state will be appended to the opaque, unique value created by the library when sending the request. It should survive the round trip to your authentication server and will be part of the User object as url_state.
Generated using TypeDoc
Generated using TypeDoc
Readonly lengthReturns the number of key/value pairs.
-Readonly lengthReturns the number of key/value pairs.
+Sets the value of the pair identified by key to value, creating a new key/value pair if none existed for key previously.
Throws a "QuotaExceededError" DOMException exception if the new value couldn't be set. (Setting could fail if, e.g., the user has disabled storage for the site, or if the quota has been exceeded.)
Dispatches a storage event on Window objects holding an equivalent Storage object.
-Generated using TypeDoc
Generated using TypeDoc
Optional acr_Optional client_Optional disablePKCEOptional displayOptional extraOptional extraOptional id_Optional login_Optional max_Optional nonceOptional promptOptional redirect_Optional requestOptional request_Optional request_Optional resourceOptional response_Optional response_Optional scopeOptional skipOptional statecustom "state", which can be used by a caller to have "data" round tripped
-Optional ui_Optional url_Generated using TypeDoc
Optional acr_Optional client_Optional disablePKCEOptional displayOptional extraOptional extraOptional id_Optional login_Optional max_Optional nonceOptional promptOptional redirect_Optional requestOptional request_Optional request_Optional resourceOptional response_Optional response_Optional scopeOptional skipOptional statecustom "state", which can be used by a caller to have "data" round tripped
+Optional ui_Optional url_Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Native interface
-Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Standard ID Token claims.
-Standard ID Token claims.
+Optional acrAuthentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The acr value is a case sensitive string.
-Optional addressEnd-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 5.1.1.
-Optional amrAuthentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings.
-The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific.
-Optional auth_Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.)
-Optional azpAuthorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
-Optional birthdateEnd-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.
-Optional emailEnd-User's preferred e-mail address. Its value MUST conform to the RFC 5322 addr-spec syntax.
-Optional email_True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
-The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value.
-Optional family_Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
-Optional genderEnd-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.
-Optional given_Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
-The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value.
-The "iss" (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The "iss" value is a case-sensitive string containing a StringOrURI value.
-Optional jtiThe "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string.
-Optional localeEnd-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US;
-Optional middle_Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
-Optional nameEnd-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
-Optional nbfThe "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value.
-Optional nicknameCasual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.
-Optional nonceString value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.
-Optional phone_End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
-Optional phone_True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
-Optional pictureURL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
-Optional preferred_Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.
-Optional profileURL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
-Optional sidSession ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.
-Subject - Identifier for the End-User at the Issuer.
-Optional updated_Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
-Optional websiteURL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.
-Optional zoneinfoString from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
-Generated using TypeDoc
Optional acrAuthentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] nist_auth_level 0.) An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The acr value is a case sensitive string.
+Optional addressEnd-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 5.1.1.
+Optional amrAuthentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings.
+The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific.
+Optional auth_Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim semantically corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.)
+Optional azpAuthorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
+Optional birthdateEnd-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.
+Optional emailEnd-User's preferred e-mail address. Its value MUST conform to the RFC 5322 addr-spec syntax.
+Optional email_True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
+The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value.
+Optional family_Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
+Optional genderEnd-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.
+Optional given_Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
+The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value.
+The "iss" (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The "iss" value is a case-sensitive string containing a StringOrURI value.
+Optional jtiThe "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string.
+Optional localeEnd-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US;
+Optional middle_Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
+Optional nameEnd-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
+Optional nbfThe "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value.
+Optional nicknameCasual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.
+Optional nonceString value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.
+Optional phone_End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
+Optional phone_True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
+Optional pictureURL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
+Optional preferred_Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.
+Optional profileURL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
+Optional sidSession ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.
+Subject - Identifier for the End-User at the Issuer.
+Optional updated_Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
+Optional websiteURL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.
+Optional zoneinfoString from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
+Generated using TypeDoc
Standard JWT claims.
-Standard JWT claims.
+Optional audThe "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific.
-Optional expThe "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value.
-Optional iatThe "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value.
-Optional issThe "iss" (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The "iss" value is a case-sensitive string containing a StringOrURI value.
-Optional jtiThe "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string.
-Optional nbfThe "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value.
-Optional subThe "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value.
-Generated using TypeDoc
Optional audThe "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific.
+Optional expThe "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value.
+Optional iatThe "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value.
+Optional issThe "iss" (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The "iss" value is a case-sensitive string containing a StringOrURI value.
+Optional jtiThe "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string.
+Optional nbfThe "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value.
+Optional subThe "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value.
+Generated using TypeDoc
Optional nonceThe request "nonce" parameter.
-Optional response_Optional scriptOptional stateThe request "state" parameter. For sign out requests, this parameter is optional.
-Generated using TypeDoc
Optional nonceThe request "nonce" parameter.
+Optional response_Optional scriptOptional stateThe request "state" parameter. For sign out requests, this parameter is optional.
+Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Standard OpenID Connect address claim. +
Standard OpenID Connect address claim. The Address Claim represents a physical mailing address.
-Optional countryCountry name component.
-Optional formattedFull mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
-Optional localityCity or locality component.
-Optional postal_Zip code or postal code component.
-Optional regionState, province, prefecture, or region component.
-Optional street_Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended street address information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
-Generated using TypeDoc
Optional countryCountry name component.
+Optional formattedFull mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
+Optional localityCity or locality component.
+Optional postal_Zip code or postal code component.
+Optional regionState, province, prefecture, or region component.
+Optional street_Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended street address information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
+Generated using TypeDoc
The settings used to configure the OidcClient.
-The settings used to configure the OidcClient.
+Optional acr_optional protocol param
-The URL of the OIDC/OAuth2 provider
-Optional client_Client authentication method that is used to authenticate when using the token endpoint (default: "client_secret_post")
+Optional acr_optional protocol param
+The URL of the OIDC/OAuth2 provider
+Optional client_Client authentication method that is used to authenticate when using the token endpoint (default: "client_secret_post")
See https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
-Your client application's identifier as registered with the OIDC/OAuth2
-Optional client_Optional clockUnused
-Optional disablePKCEWill disable pkce validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)
-Optional displayoptional protocol param
-Optional extraAn object containing additional header to be including in request.
-Optional extraAn object containing additional query string parameters to be including in the authorization request. +
Your client application's identifier as registered with the OIDC/OAuth2
+Optional client_Optional disablePKCEWill disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)
+Optional displayoptional protocol param
+Optional extraAn object containing additional header to be including in request.
+Optional extraAn object containing additional query string parameters to be including in the authorization request.
E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: {resource:"some_identifier"}
Optional extraOptional fetchSets the credentials for fetch requests. (default: "same-origin") +
Optional extraOptional fetchSets the credentials for fetch requests. (default: "same-origin") Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies
-Optional filterShould optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true) +
Optional filterShould optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true) When true, the following claims are removed by default: ["nbf", "jti", "auth_time", "nonce", "acr", "amr", "azp", "at_hash"] When specifying claims, the following claims are not allowed: ["sub", "iss", "aud", "exp", "iat"]
-Optional loadFlag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false)
-Optional max_optional protocol param
-Optional mergeIndicates if objects returned from the user info endpoint as claims (e.g. address) are merged into the claims from the id token as a single object.
-Otherwise, they are added to an array as distinct objects for the claim type. (default: false)
Optional metadataProvide metadata when authority server does not allow CORS on the metadata endpoint
-Optional metadataCan be used to seed or add additional values to the results of the discovery request
-Optional metadataOptional loadFlag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false)
+Optional max_optional protocol param
+Optional mergeIndicates how objects returned from the user info endpoint as claims (e.g. address) are merged into the claims from the
+id token as a single object. (default: { array: "replace" })
Optional post_The OIDC/OAuth2 post-logout redirect URI
-Optional promptoptional protocol param
-The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider
-Optional refreshOnly scopes in this list will be passed in the token refresh request.
-Optional refreshsince version 2.1.0. Use fetchRequestCredentials instead.
-Optional resourceoptional protocol param
-Optional response_optional protocol param (default: "query")
-Optional response_The type of response desired from the OIDC/OAuth2 provider (default: "code")
-Optional revokeWill check the content type header of the response of the revocation endpoint to match these passed values (default: [])
-Optional scopeThe scope being requested from the OIDC/OAuth2 provider (default: "openid")
-Optional signingProvide signingKeys when authority server does not allow CORS on the jwks uri
-Optional staleNumber (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900)
-Optional stateStorage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window). +
Optional metadataProvide metadata when authority server does not allow CORS on the metadata endpoint
+Optional metadataCan be used to seed or add additional values to the results of the discovery request
+Optional metadataOptional post_The OIDC/OAuth2 post-logout redirect URI
+Optional promptoptional protocol param
+The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider
+Optional refreshOnly scopes in this list will be passed in the token refresh request.
+Optional resourceoptional protocol param
+Optional response_Optional protocol param +The response mode used by the authority server is defined by the response_type unless explicitly specified:
+Optional response_The type of response desired from the OIDC/OAuth2 provider (default: "code")
+Optional revokeWill check the content type header of the response of the revocation endpoint to match these passed values (default: [])
+Optional scopeThe scope being requested from the OIDC/OAuth2 provider (default: "openid")
+Optional signingProvide signingKeys when authority server does not allow CORS on the jwks uri
+Optional staleNumber (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900)
+Optional stateStorage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window).
E.g. stateStore: new WebStorageStateStore({ store: window.localStorage })
Optional ui_optional protocol param
-Optional userUnused
-Generated using TypeDoc
Optional ui_optional protocol param
+Generated using TypeDoc
OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports.
-REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
-OPTIONAL. Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP. If omitted, the default value is false. +
OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports.
+REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
+OPTIONAL. Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP. If omitted, the default value is false. https://openid.net/specs/openid-connect-backchannel-1_0.html#toc
-OPTIONAL. Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If omitted, the default value is false. +
OPTIONAL. Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If omitted, the default value is false. https://openid.net/specs/openid-connect-backchannel-1_0.html#toc
-REQUIRED. URL of an OP iframe that supports cross-origin communications for session state information with the RP Client, using the HTML5 postMessage API. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. The page is loaded from an invisible iframe embedded in an RP page so that it can run in the OP's security context. It accepts postMessage requests from the relevant RP iframe and uses postMessage to post back the login status of the End-User at the OP.
-OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core]. +
REQUIRED. URL of an OP iframe that supports cross-origin communications for session state information with the RP Client, using the HTML5 postMessage API. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. The page is loaded from an invisible iframe embedded in an RP page so that it can run in the OP's security context. It accepts postMessage requests from the relevant RP iframe and uses postMessage to post back the login status of the End-User at the OP.
+OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core]. Values defined by this specification are normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims.
-OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false.
-RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
-Exchange (PKCE) [RFC7636] code challenge methods supported by this +
OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false.
+RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
+Exchange (PKCE) [RFC7636] code challenge methods supported by this authorization server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those @@ -139,254 +47,29 @@
OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core].
-REQUIRED. URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
-OPTIONAL. Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also included in ID Tokens issued by the OP. If omitted, the default value is false. +
OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Core].
+REQUIRED. URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
+OPTIONAL. Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also included in ID Tokens issued by the OP. If omitted, the default value is false. https://openid.net/specs/openid-connect-frontchannel-1_0.html
-OPTIONAL. Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If omitted, the default value is false. +
OPTIONAL. Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If omitted, the default value is false. https://openid.net/specs/openid-connect-frontchannel-1_0.html
-OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"].
-The fully qualified URL of the server's introspection endpoint defined by OAuth Token Introspection [RFC7662 : https://openid.net/specs/openid-heart-oauth2-2015-12-07.html#RFC7662] +
OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"].
+The fully qualified URL of the server's introspection endpoint defined by OAuth Token Introspection [RFC7662 : https://openid.net/specs/openid-heart-oauth2-2015-12-07.html#RFC7662] https://openid.net/specs/openid-heart-oauth2-2015-12-07.html
-REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
-REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
-RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint [https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Registration].
-OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support none and RS256.
-OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers is ["query", "fragment"].
-REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
-The fully qualified URL of the server's revocation endpoint defined by OAuth 2.0 Token Revocation [RFC7009 : https://openid.net/specs/openid-heart-oauth2-2015-12-07.html#RFC7009] +
REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
+REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
+RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint [https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Registration].
+OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support none and RS256.
+OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers is ["query", "fragment"].
+REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
+The fully qualified URL of the server's revocation endpoint defined by OAuth 2.0 Token Revocation [RFC7009 : https://openid.net/specs/openid-heart-oauth2-2015-12-07.html#RFC7009] https://openid.net/specs/openid-heart-oauth2-2015-12-07.html
-RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
-OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation.
-REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public.
-URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used.
-OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
-OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
-OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646 : https://openid.net/specs/openid-connect-discovery-1_0.html#RFC5646] language tag values.
-RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
-Generated using TypeDoc
RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
+OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation.
+REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public.
+URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used.
+OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
+OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
+OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646 : https://openid.net/specs/openid-connect-discovery-1_0.html#RFC5646] language tag values.
+RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
+Generated using TypeDoc
Standard OpenID Connect claims. +
Standard OpenID Connect claims. They can be requested to be returned either in the UserInfo Response or in the ID Token.
-Optional addressEnd-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 5.1.1.
-Optional birthdateEnd-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.
-Optional emailEnd-User's preferred e-mail address. Its value MUST conform to the RFC 5322 addr-spec syntax.
-Optional email_True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
-Optional family_Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
-Optional genderEnd-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.
-Optional given_Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
-Optional localeEnd-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US;
-Optional middle_Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
-Optional nameEnd-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
-Optional nicknameCasual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.
-Optional phone_End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
-Optional phone_True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
-Optional pictureURL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
-Optional preferred_Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.
-Optional profileURL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
-Optional subSubject - Identifier for the End-User at the Issuer.
-Optional updated_Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
-Optional websiteURL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.
-Optional zoneinfoString from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
-Generated using TypeDoc
Optional addressEnd-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 5.1.1.
+Optional birthdateEnd-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.
+Optional emailEnd-User's preferred e-mail address. Its value MUST conform to the RFC 5322 addr-spec syntax.
+Optional email_True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
+Optional family_Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
+Optional genderEnd-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.
+Optional given_Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
+Optional localeEnd-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US;
+Optional middle_Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
+Optional nameEnd-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
+Optional nicknameCasual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.
+Optional phone_End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
+Optional phone_True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
+Optional pictureURL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
+Optional preferred_Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace.
+Optional profileURL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
+Optional subSubject - Identifier for the End-User at the Issuer.
+Optional updated_Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
+Optional websiteURL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.
+Optional zoneinfoString from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
+Generated using TypeDoc
Optional closeClose popup window after time in seconds, by default it is -1. To enable this feature set value greater than 0
-Optional heightOptional leftOptional locationOptional menubarOptional resizableOptional scrollbarsOptional statusOptional toolbarOptional topOptional widthGenerated using TypeDoc
Optional closeClose popup window after time in seconds, by default it is -1. To enable this feature set value greater than 0
+Optional heightOptional leftOptional locationOptional menubarOptional resizableOptional scrollbarsOptional statusOptional toolbarOptional topOptional widthGenerated using TypeDoc
Generated using TypeDoc
Optional popupOptional popupGenerated using TypeDoc
Generated using TypeDoc
Optional redirectOptional redirectGenerated using TypeDoc
Generated using TypeDoc
Opaque session state used to validate if session changed (monitorSession)
+Optional subSubject identifier
+Generated using TypeDoc
Optional acr_Optional client_Optional disablePKCEOptional displayOptional extraOptional extraOptional id_Optional login_Optional max_Optional nonceOptional promptOptional requestOptional request_Optional request_Optional resourceOptional response_Optional skipOptional state_custom "state", which can be used by a caller to have "data" round tripped
-Optional ui_Optional url_Generated using TypeDoc
Optional acr_Optional client_Optional disablePKCEOptional displayOptional extraOptional extraOptional id_Optional login_Optional max_Optional nonceOptional promptOptional requestOptional request_Optional request_Optional resourceOptional response_Optional skipOptional state_custom "state", which can be used by a caller to have "data" round tripped
+Optional ui_Optional url_Generated using TypeDoc
Optional client_Optional code_Optional code_Optional createdOptional dataOptional extraOptional idOptional request_Optional response_Optional skipOptional url_Generated using TypeDoc
Optional client_Optional extraOptional id_Optional post_Optional request_Optional state_custom "state", which can be used by a caller to have "data" round tripped
-Generated using TypeDoc
Optional client_Optional extraOptional id_Optional post_Optional request_Optional state_custom "state", which can be used by a caller to have "data" round tripped
+Generated using TypeDoc
Generated using TypeDoc
Optional timeoutGenerated using TypeDoc
The settings used to configure the UserManager.
-The settings used to configure the UserManager.
+Optional accessThe number of seconds before an access token is to expire to raise the accessTokenExpiring event (default: 60)
-Optional acr_optional protocol param
-The URL of the OIDC/OAuth2 provider
-Optional automaticFlag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The automatic renew attempt starts 1 minute before the access token expires (default: true)
-Optional checkInterval in seconds to check the user's session (default: 2)
-Optional client_Client authentication method that is used to authenticate when using the token endpoint (default: "client_secret_post")
+Optional accessThe number of seconds before an access token is to expire to raise the accessTokenExpiring event (default: 60)
+Optional acr_optional protocol param
+The URL of the OIDC/OAuth2 provider
+Optional automaticFlag to indicate if there should be an automatic attempt to renew the access token prior to its expiration. The automatic renew attempt starts 1 minute before the access token expires (default: true)
+Optional checkInterval in seconds to check the user's session (default: 2)
+Optional client_Client authentication method that is used to authenticate when using the token endpoint (default: "client_secret_post")
See https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
-Your client application's identifier as registered with the OIDC/OAuth2
-Optional client_Optional clockUnused
-Optional disablePKCEWill disable pkce validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)
-Optional displayoptional protocol param
-Optional extraAn object containing additional header to be including in request.
-Optional extraAn object containing additional query string parameters to be including in the authorization request. +
Your client application's identifier as registered with the OIDC/OAuth2
+Optional client_Optional disablePKCEWill disable PKCE validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)
+Optional displayoptional protocol param
+Optional extraAn object containing additional header to be including in request.
+Optional extraAn object containing additional query string parameters to be including in the authorization request.
E.g, when using Azure AD to obtain an access token an additional resource parameter is required. extraQueryParams: {resource:"some_identifier"}
Optional extraOptional fetchSets the credentials for fetch requests. (default: "same-origin") +
Optional extraOptional fetchSets the credentials for fetch requests. (default: "same-origin") Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies
-Optional filterShould optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true) +
Optional filterShould optional OIDC protocol claims be removed from profile or specify the ones to be removed (default: true) When true, the following claims are removed by default: ["nbf", "jti", "auth_time", "nonce", "acr", "amr", "azp", "at_hash"] When specifying claims, the following claims are not allowed: ["sub", "iss", "aud", "exp", "iat"]
-Optional iframeThe target to pass while calling postMessage inside iframe for callback (default: window.location.origin)
-Optional iframeThe script origin to check during 'message' callback execution while performing silent auth via iframe (default: window.location.origin)
-Optional includeFlag to control if id_token is included as id_token_hint in silent renew calls (default: false)
-Optional includeFlag to control if id_token is included as id_token_hint in silent signout calls (default: false)
-Optional loadFlag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false)
-Optional max_optional protocol param
-Optional mergeIndicates if objects returned from the user info endpoint as claims (e.g. address) are merged into the claims from the id token as a single object.
-Otherwise, they are added to an array as distinct objects for the claim type. (default: false)
Optional metadataProvide metadata when authority server does not allow CORS on the metadata endpoint
-Optional metadataCan be used to seed or add additional values to the results of the discovery request
-Optional metadataOptional monitorOptional monitorWill raise events for when user has performed a signout at the OP (default: false)
-Optional popupThe features parameter to window.open for the popup signin window. By default, the popup is +
Optional iframeThe target to pass while calling postMessage inside iframe for callback (default: window.location.origin)
+Optional iframeThe script origin to check during 'message' callback execution while performing silent auth via iframe (default: window.location.origin)
+Optional includeFlag to control if id_token is included as id_token_hint in silent renew calls (default: false)
+Optional includeFlag to control if id_token is included as id_token_hint in silent signout calls (default: false)
+Optional loadFlag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile (default: false)
+Optional max_optional protocol param
+Optional mergeIndicates how objects returned from the user info endpoint as claims (e.g. address) are merged into the claims from the
+id token as a single object. (default: { array: "replace" })
Optional metadataProvide metadata when authority server does not allow CORS on the metadata endpoint
+Optional metadataCan be used to seed or add additional values to the results of the discovery request
+Optional metadataOptional monitorOptional monitorWill raise events for when user has performed a signout at the OP (default: false)
+Optional popupThe features parameter to window.open for the popup signin window. By default, the popup is placed centered in front of the window opener. (default: { location: false, menubar: false, height: 640, closePopupWindowAfterInSeconds: -1 })
-Optional popupThe target parameter to window.open for the popup signin window (default: "_blank")
-Optional popup_Optional popup_The URL for the page containing the call to signinPopupCallback to handle the callback from the OIDC/OAuth2
-Optional post_The OIDC/OAuth2 post-logout redirect URI
-Optional promptoptional protocol param
-Optional query_Optional redirectThe methods window.location method used to redirect (default: "assign")
-Optional redirectThe methods target window being redirected (default: "self")
-The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider
-Optional refreshOnly scopes in this list will be passed in the token refresh request.
-Optional refreshsince version 2.1.0. Use fetchRequestCredentials instead.
-Optional resourceoptional protocol param
-Optional response_optional protocol param (default: "query")
-Optional response_The type of response desired from the OIDC/OAuth2 provider (default: "code")
-Optional revokeWill check the content type header of the response of the revocation endpoint to match these passed values (default: [])
-Optional revokeThe token_type_hints to pass to the authority server by default (default: ["access_token", "refresh_token"])
Optional popupThe target parameter to window.open for the popup signin window (default: "_blank")
+Optional popup_Optional popup_The URL for the page containing the call to signinPopupCallback to handle the callback from the OIDC/OAuth2
+Optional post_The OIDC/OAuth2 post-logout redirect URI
+Optional promptoptional protocol param
+Optional query_Optional redirectThe methods window.location method used to redirect (default: "assign")
+Optional redirectThe methods target window being redirected (default: "self")
+The redirect URI of your client application to receive a response from the OIDC/OAuth2 provider
+Optional refreshOnly scopes in this list will be passed in the token refresh request.
+Optional resourceoptional protocol param
+Optional response_Optional protocol param +The response mode used by the authority server is defined by the response_type unless explicitly specified:
+Optional response_The type of response desired from the OIDC/OAuth2 provider (default: "code")
+Optional revokeWill check the content type header of the response of the revocation endpoint to match these passed values (default: [])
+Optional revokeThe token_type_hints to pass to the authority server by default (default: ["access_token", "refresh_token"])
Token types will be revoked in the same order as they are given here.
-Optional revokeWill invoke the revocation endpoint on signout if there is an access token for the user (default: false)
-Optional scopeThe scope being requested from the OIDC/OAuth2 provider (default: "openid")
-Optional signingProvide signingKeys when authority server does not allow CORS on the jwks uri
-Optional silentNumber of seconds to wait for the silent renew to return before assuming it has failed or timed out (default: 10)
-Optional silent_The URL for the page containing the code handling the silent renew
-Optional staleNumber (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900)
-Optional stateStorage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window). +
Optional revokeWill invoke the revocation endpoint on signout if there is an access token for the user (default: false)
+Optional scopeThe scope being requested from the OIDC/OAuth2 provider (default: "openid")
+Optional signingProvide signingKeys when authority server does not allow CORS on the jwks uri
+Optional silentNumber of seconds to wait for the silent renew to return before assuming it has failed or timed out (default: 10)
+Optional silent_The URL for the page containing the code handling the silent renew
+Optional staleNumber (in seconds) indicating the age of state entries in storage for authorize requests that are considered abandoned and thus can be cleaned up (default: 900)
+Optional stateStorage object used to persist interaction state (default: window.localStorage, InMemoryWebStorage iff no window).
E.g. stateStore: new WebStorageStateStore({ store: window.localStorage })
Optional stopOptional ui_optional protocol param
-Optional userUnused
-Optional userStorage object used to persist User for currently authenticated user (default: window.sessionStorage, InMemoryWebStorage iff no window). +
Optional stopOptional ui_optional protocol param
+Optional userStorage object used to persist User for currently authenticated user (default: window.sessionStorage, InMemoryWebStorage iff no window).
E.g. userStore: new WebStorageStateStore({ store: window.localStorage })
Optional validateFlag to validate user.profile.sub in silent renew calls (default: true)
-Generated using TypeDoc
Optional validateFlag to validate user.profile.sub in silent renew calls (default: true)
+Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Rest ...ev: unknown[]Generated using TypeDoc
Rest ...ev: unknown[]Generated using TypeDoc
Optional state?: unknowncustom "state", which can be used by a caller to have "data" round tripped
-Generated using TypeDoc
Optional state?: unknowncustom "state", which can be used by a caller to have "data" round tripped
+Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Optional extraOptional skipGenerated using TypeDoc
Optional extraOptional skipGenerated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Optional code_Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Holds claims represented by a combination of the id_token and the user info endpoint.
Generated using TypeDoc
Holds claims represented by a combination of the id_token and the user info endpoint.
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Generated using TypeDoc
Const Generated using TypeDoc
Const Generated using TypeDoc
Add callback: Raised after the access token has expired.
-